Everything You’ve Ever Wanted to Know About Spam But Were Afraid to Ask


Table of Contents

It’s the four-letter word of email marketing. Some marketers won’t even say it or write it. The closest they can come is to call it graymail. But spam exists, and there’s actually far more of it than legitimate emails.

Before we get too far into all the gooey details of spam, let’s define it. The most simple definition of spam is just “unsolicited bulk email”. But that’s just one of many definitions. The SpamHaus Project, an anti-spam organization, uses this definition of spam:

A message is Spam only if it is both Unsolicited and Bulk.

• Unsolicited Email is normal email (examples: first contact enquiries, job enquiries, sales enquiries)

• Bulk Email is normal email (examples: subscriber newsletters, customer communications, discussion lists)

Here’s Google’s definition of spam:


1. Irrelevant or inappropriate messages sent on the Internet to a large number of recipients.

a. unwanted or intrusive advertising on the Internet.

b. "an autogenerated spam website"

2. Trademark

a. A canned meat product made mainly from ham.


1. Send the same message indiscriminately to (large numbers of recipients) on the Internet.

Google’s definition of spam is a little different than SpamHaus’s, or than the CAN SPAM (Controlling the Assault of Non-Solicited Pornography And Marketing) Act of 2003. This is because in addition to email spam, there is also search engine spam, social media spam, and many other kinds of spam. Unfortunately, whenever any information is being passed back and forth or shared online, there’s a potential for spam. What we’re focused on here is email spam. And for our purposes, “unsolicited bulk email” is a workable definition.

Graymail versus spam

But even that is just the email industry’s definition of spam. There’s also consumers’ definition of spam, which is basically any email they don’t want. Email marketers call unwanted email messages “graymail”.

Graymail is basically any message that does not fit a legal or industry definition of spam, but a message that the subscriber just doesn’t want. Graymail can include emails sent too often, irrelevant emails, or emails people don’t remember signing up for. For more reasons why someone might mark a message as spam, see our post, Top 10 Reasons for SPAM Complaints.

Now that we’ve got some common language, let’s walk through the most common questions people have about spam.

How much of email sent is spam?

It depends who you ask, but consider this tweet from a panel at the Email Evolution Conference just two weeks ago. The panel that prompted this tweet included deliverability experts from the “Big 4” email ISPs: Gmail, AOL, Comcast and Outlook.com. This one statistic – that only 5% of emails are “legitimate” – really drives home how much spam is out there.

For another perspective on the exact ratio of spam to legitimate emails, compare Kaspersky Lab’s November 2014 statistics. Kaspersky Lab says spam accounts for 66.9% of all email traffic in Q3 2014. That’s down by 1.7 percent since they measured it in Q2 of the same year.

Does that still seem depressingly high? It’s actually a significant improvement over the use of spam in years’ past, as this chart shows:

what percentage of all emails are spam on a year by year basis


For one final view how much spam is out there, consider the Radicati Group’s Email Statistics Report 2011-2015.

The Radicati Group's count of spam emails that make it into the inbox

According to Radicati, in 2011 the average corporate email user sent and received about 105 emails messages per day. “Despite spam filters, roughly 19% of email messages that are delivered to a corporate email user’s inbox are spam. This includes what is referred to as ‘graymail’ (i.e. unwanted newsletters or notifications).” If we calculate Radicati’s figures for emails received versus spam emails in 2015, we’d see that 15.5% of emails in the inbox are spam or graymail in 2015.

That’s interesting, but it is all still averages. The key takeaway here is that the percentage of spam we get has generally been going down.

Which countries send the most spam?

This we do know, and down to the day. SpamHaus tracks it. Here’s their count of the spammiest countries as of February 15, 2015:

Which countries send the most spam?

Unfortunately, the United States is still the source of much of the spam in the world. 38 percent, to be exact. We send more spam out than the next three countries (China, Russia and Japan) combined.

Who are the world’s worst spammers?

Now that you know the countries that send the most spam, you’re probably wondering if we actually know which people send the most spam. Can we find out if there are actual names tied to the billions of bogus emails? You bet.

Once again, Spam Haus, an anti-spam organization that also keeps one of the world's most feared blacklists, also keeps a running count of the world’s worst spammers. Here’s the top five spammers from that list, as of February 15th:

The world's worst spammers

Read Yair Shalev’s (#2) short biography, especially the last sentence. Yair did actually get sued by the FTC for $350,000. But after you find out what he did, and what he continues to do, $350,000 will seem like a speeding ticket.

Shalev’s fine was earned because just as the Affordable Care Act went into effect, he sent out spam emails that pretended to be from insurance companies. The emails said people would be fined if they didn’t sign up for insurance through the links in those emails. The emails did actually send people to insurance sites, and those sites did pay Shalev for that traffic. There’s an example of one of these rotten emails below.

an example of one of yair shalev's spam emails

If you can bear to learn more, MarketingLand wrote up a detailed post about Shalev’s bust and the tactics he used to run his scam.

Can you actually make money sending spam?

After reading about Shalev, you’re probably wondering how much this racket is worth. Well, it's worth a lot. You can indeed make money spamming. But balance all those dollar signs with legal fees, even if you're lucky enough to avoid the lawsuits. Also get ready for one of the most unbelievably bad conversion rates I've ever heard of.

This is the most recent spam statistic I could find about the average conversion rate for a spam email:

the average conversion rate for a spam email

A conversion rate of .000008% is definitely not something to write home about. Unfortunately, it is just enough to keep the spammers interested.

These figures give us what we need to extract that the botnet Storm (an automated spam program) earned $3.5 million dollars from sending 28 billion emails. That’s $0.000125 dollars earned per spam email sent, or 12.5 cents per thousand.

If Storm could send emails for less than 12.5 cents per thousand, and didn’t have to pay too much in fees for each purchase, it is possible they could have made a profit.

This leads us to one of the major reasons spam still works as a business model: It is basically free to send. So even with a conversion rate that would make any self-respecting marketer resign on the spot, the spammers stay in business. This is because their emails are basically free to send. They can get their email addresses for free, too.

How do spammers get email addresses?

When some of us think of a spam list, we might think of it as being bought. Sometimes that happens, but most spammers “harvest” their lists through what’s called scraper bots. Scrapers are software that troll the web, collecting or “scraping” any email address they find. The anti-spam organizations have created spam traps to trip up some of these scraper bots, but they still do enormous damage.

Some websites show people’s email addresses as “susan at Comcast.com” rather than “Susan@comcast.com” to avoid these scrapers. Unfortunately for Susan, adding the “at” sign with a space on either side is not likely to keep her off spam lists – the software is smart enough to recognize an email address in that format.

That’s just one way spammers get email addresses. Scraper software seems positively benign compared to botnets – the same type of software that sent an estimated 28 billion emails in 2008. Bear in mind that’s just one botnet sending 28 billion emails. It’s not the total count of spam emails sent.

Zombie botnets sending hoards of spam

The real engines of spam are bots, also called “botnets” or even “zombies”. A botnet is a group of bots. They are about as scary as they sound. Bots are scary because they take over hundreds, often thousands or even millions of computers. Then they use those same computers to send their spam. Computers, perhaps, like yours.

Here’s how a spam bot works:

• Somehow a piece of malware gets downloaded to your computer. Maybe you lost your mind for a moment and opened a spam email. Then you lost your mind again and clicked on an .exe file. Maybe you just downloaded an interesting game to play. Maybe your teenager downloaded the game. However it happened, the malware got in.

• The malware lives invisibly on your computer, occasionally checking in to its home computer or server through HTTP requests.

• At some point – the fateful day – the home server sends a set of instructions to the malware on your computer.

• The evil begins. The malware on your computer executes those instructions, using all sorts of data it’s been silently collecting. It will have access to your keystrokes (i.e., your usernames and passwords), your files, which sites you visit, your social media accounts – everything.

• The bot can do whatever it wants, but in our example, it wants to send spam. So it starts sending spam from your computer. It knows the email addresses of all your contacts, too, so it has fresh addresses to mail to.

• The bot can send millions, if not billions of emails out faster than if it was mailing from a server. Just 1,000 computers sending 1,000 spam emails comes out to 1,000,000 emails. To quote from Naked Security’s post How to send 5 million spam emails without even noticing, “In a one week period, from a single computer infected with a single piece of malware:

  • 5.5 million email addresses were spammed.

  • 30 GBytes of outbound email were sent.

  • 750,286 unique spam messages were sent.

  • 26% included another item of malware.

  • 74% contained links to a pharmaceutical website.”

Scary huh? This is why friends don’t let friends open .exe attachments.

In conclusion

Despite the botnets, and the creeps like Yair Shalev, the email industry continues to get better and better and identifying and destroying spam. In the meantime, we email marketers can just keep sending the most useful, entertaining and helpful emails that we can. With some luck, and ever-smarter spam foils, we’ll ultimately beat the spammers.



He does not need any intro. Your know that he will only edit blog posts when it's needed.